72d779a0485360b5a636bc014d5ccf88ff4745453382ac675b968d5301f9b418

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe
Size

250KB
MD5

4c0a7ca04aac0a5abb6a0ae0d59d7a0d
SHA1

1bb69e84abfd74269e9785f5b679c30467532a14
SHA256

72d779a0485360b5a636bc014d5ccf88ff4745453382ac675b968d5301f9b418
SHA512

aa5cc1743d5443609c8b749d45066ca06193164d87bd4672eee720d097d99716d9acff4854f413dfe32c6fe7a681da25d131c546f9186592f7b327e45ded835e
SSDEEP

6144:j7y+Qfb56BBMl5yyw5CpA/7sJ5pwvP6bQ7yMP+DE827KJF:/yf6aw5krJ5i6b7MP+Dd2A

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\ram32xp.dll	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe
File created	C:\Windows\inf\ram65xp.dll	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	AcroRd32.exe
2636	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2676	2724	4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe	30
PID 2796 wrote to memory of 2636	2796	explorer.exe	32
PID 2796 wrote to memory of 2636	2796	explorer.exe	32
PID 2796 wrote to memory of 2636	2796	explorer.exe	32
PID 2796 wrote to memory of 2636	2796	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c0a7ca04aac0a5abb6a0ae0d59d7a0d_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe "c:\FINAL_TBF2.pdf"
  2⤵
  PID:2676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\FINAL_TBF2.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
af90ea9b6cc31dc0197dfad2e8a0f50e

SHA1
6d376c348b04f495d73b7c42fc231fb60496a45c

SHA256
33b0bf89d0da93c8387097290033b791b12f7f318b81bd521caa1c893c70bb62

SHA512
1151fdacfdb0388ba9d68f75cb5beab25b367fe32e14334283c1fb3a82f14f24b8358fc83c76e29785b171ab4bcf1d358b9d3476b86097afe4d61c8647d22f47

Download Submit
memory/2724-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-3-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-2-0x0000000000459000-0x000000000045A000-memory.dmp

Filesize
4KB

Download
memory/2724-1-0x00000000008E0000-0x0000000000959000-memory.dmp

Filesize
484KB

Download
memory/2724-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-7-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads